Frequently Asked Question
Can a payment application that implements the same cryptographic keys across multiple installations be PA-DSS compliant?
No. If cryptographic keys are provided by the application vendor as part of the application, the keys must be unique to each customer or installation. An application that requires the same key to be used across all installations or by different customers does not meet the requirement for "strong cryptography". If the application includes any default cryptographic keys, those keys must be able to be changed by the customer. Additionally, the vendor must provide instructions in the PA-DSS Implementation Guide that all default keys must be changed and how to perform the key changes.
Originally published: April 2012
Article Number: 1052
